New vulnerabilities in existing software applications are discovered every day, and leaving vulnerabilities unpatched is an open invitation to hackers to penetrate your network and take control of your machines.
That’s why it is vital to monitor security mailing lists and Web sites such as Security Focus to keep up with news about newly discovered vulnerabilities in any of the software on your network, so you can take steps to patch the software (after suitable testing) as soon as the vendor or open source community issues one.
But this is not as easy as it sounds. What happens if you miss an announcement, or a patch doesn’t get applied properly, or you simply forget to take any action? And what about software that users have installed without your knowledge? How can you be sure that all the authorized software on your network has been updated with the most recent patches, and that no user has installed any unauthorized software which could also introduce vulnerabilities onto your network?
More on Security Scanning
- Considering UTM? Ten Key Questions
- Using Isscan to scan Exchange Server for viruses
- Audit Your LAN Before the Bad Guys Do with nmap
- Use Goolag to Find Your Inner Dork
- Frisk Your Windows Boxes With the MBSA
One solution is to use a vulnerability scanner. A network-based vulnerability scanner detects local and remote hosts, identifies the software running on them, and warns you if software with known vulnerabilities is found. A number of commercial solutions exist such as Tenable Network Security’s Nessus (which runs on Windows, OS X, Linux and UNIX,) SAINT Corporation’s SAINT scanner (OS X, Linux and UNIX), and eEye Digital Security’s Retina (Windows only.) Free, open source solutions also exist (including the well-known Metasploit framework), but it’s fair to say that this is an area where commercial products rule the roost.
To be effective a vulnerability scanner needs to be easy to use. But more importantly it needs to make remediation as easy as possible – otherwise there is a risk that it simply won’t get done. For organizations with a large number of Windows users, one of the most effective products is Network Software Inspector (NSI) from Denmark-based Secunia.
NSI is controlled from a central console by an administrator, and launched manually or automatically on a scheduled basis. Once running it finds local Windows machines on the network to scan by IP address or range, by individual host name, or by group (either defined manually by IP addresses or by using ActiveDirectory.) Remote machines can also be scanned if suitable network administrator credentials are supplied. NSI scans all the hosts it finds for .exe, .dll and .ocx files, identifies their digital signatures, and inventories the installed software it comes across by name and version number.
Each application is then checked against Secunia’s vulnerability database and flagged as either secure, insecure (meaning that known vulnerabilities exist for the installed version of the software) or end of life (meaning that the developer is no longer actively updating the software.)
Without the ability to identify version numbers some other scanners can only identify particular applications and warn that early versions of these product have known vulnerabilities—leaving it to the administrator to find out if the installed version is one that is secure or not.
Once NSI has identified any software which is vulnerable, the scanner provides information about where the software is installed, a description of the vulnerability (such as a buffer overflow error) and a rating as to the seriousness of the vulnerability and its possible consequences. Most importantly, the software also includes the solution to the security problem – usually a direct link to the web site where a patch can be downloaded immediately. By comparing the results for any given machine with previous results, NSI identifies and highlights any unauthorized software that has been added (or removed) by the user. Network administrators can also be alerted to any new vulnerabilities by SMS – useful when scans are initiated automatically – so they can be given immediate attention.
What about laptop users who are frequently disconnected from your corporate network and therefore more difficult to scan on a regular basis? To ensure that these machines are not missed Secunia provides an NSI agent. This small piece of software checks in to your network whenever a laptop is connected to the Internet to see if a scan is due. If so it will scan the laptop and post its results back to the administration console as if it were just another device on the network.
Secunia is certainly not the only vulnerability scanner on the market, and it is limited in that it only scans Windows severs and end user machines. But at 20 Euros per machine per year it provides a relatively inexpensive way of ensuring that your network doesn’t get compromised by hackers exploiting known vulnerabilities in software on your network which should have been patched. That could save a considerable amount of money, not to mention professional embarrassment —or even your job.
